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SPECIFICATION 
TITLE 

METHOD AND ARRANGEMENT FOR AUTHENTICATING A 
5 CONTROL UNIT AND TRANSMITTING AUTHENTICATION INFORMATION 

TO THE CONTROL UNIT 

BACKGROUND 

The preferred embodiment relates to a method and an arrangement for 
10 generating authentication information by means of which a data processing 
system performs an authentication of a control unit. The preferred 
embodiment further relates to a method and an arrangement for 
authenticating a control unit of an electrophotographic printing or copying 
system. 

15 Known electrophotographic printers and copiers have communication 

interfaces over which the control units and maintenance computers can be 
linked with the printer or copier for purposes of control, diagnostic analysis, 
and maintenance. In particular, security related settings of the printer or 
copier can be changed with the aid of the maintenance computers. If such 

20 modifications are performed by insufficiently qualified operators or 
unauthorized persons, e.g. over a network connection, the result may be a 
significant quality degradation and damage or destruction of assemblies of the 
printer or copier. 

In the case of known printers and copiers, a number of so-called user 
25 levels are provided, whereby a user can select a user level and verifies his 
authorization to select this user level by inputting a password. Furthermore, 
with known printers and copiers, unauthorized persons may be able to acquire 
information about the structure and control structure of the printer or copier 
through unsecured access with the aid of the communication interface of the 
30 printer or copier. System parameters such as meter counts of the printer or 
copier, which may be used for billing purposes, can also be manipulated over 
the communication interface of known printers or copiers. 
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The European Patent EP 0 513 549 A2 describes an arrangement for 
controlling and transmitting data between a host computer and a copier 
control, whereby the communication does not occur until the successful 
identification of the host computer with the aid of a password. A control unit 
5 for communication control is also provided. 

US 5,077,795 describes an electronic printing system in which the 
security of user data and user programs is ensured with the aid of a user 
profile for each user. The user profiles are managed by a security 
administrator on site or at a remote location. 

10 However, known access methods offer only an inadequate protection 

of the printer's internal data and settings. In particular, a substantial risk 
associated with passwords is that they can be spied on with the aid of 
program modules that record the keyboard inputs. Another security risk 
associated with passwords is that they must be delivered to the respective 

15 user, whereby it often cannot be guaranteed that unauthorized parties will not 
acquire knowledge of the passwords during the transmission and/or delivery 
of the passwords. Nor is there any guarantee that authorized parties will not 
disseminate the passwords to unauthorized parties. An effective local 
protection of known printers or copiers could only be achieved by preventing 

20 unauthorized parties from gaining physical access to the communication 
interface of the printer or copier. But in that case the print data could not be 
transmitted to the printer over a network that is also linked to global networks 
such as the Internet over which unauthorized parties also have access to the 
printer. But such techniques also foreclose the possibility of remote 

25 maintenance, remote diagnostic analysis, or remote control of the printer by 
service specialists that are not on site. 

SUMMARY 

An object is to propose a method and an arrangement with which it is 
easy to authenticate a data processing system. 
30 In a method and arrangement for authenticating a data processing 

system, first information is generated by a first data processing system and 
delivered to a second data processing system for a control unit. First data are 
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transmitted from the second data processing system to the first data 
processing system over a data line, the first data being generated by the 
second data processing system with aid of the first information and additional 
information contained in the second data processing system. Second data 
5 are generated by the first data processing system depending on the first data 
and transmitted from the first data processing system to the second data 
processing system. Authentication information for authenticating the second 
data processing system is generated by the second data processing system 
with aid of the second data. 
10 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block wiring diagram of a system for generating and 
transmitting a key for authenticating a service and maintenance computer; 

Figure 2 is a control interface for requesting the key at an authorization 

server; 

15 Figure 3 is a block circuit diagram for the authenticating of the service 

and maintenance computer by a printer; and 

Figure 4 is an output window with a test message that is output in the 
event of authorization failure. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

20 For the purposes of promoting an understanding of the principles of the 

invention, reference will now be made to the preferred embodiment illustrated 
in the drawings and specific language will be used to describe the same. It 
will nevertheless be understood that no limitation of the scope of the invention 
is thereby intended, such alterations and further modifications in the illustrated 

25 device, and/or method, and such further applications of the principles of the 
invention as illustrated therein being contemplated as would normally occur 
now or in the future to one skilled in the art to which the invention relates. 

What a method for authenticating a data processing system achieves is 
that the second data are supplied to the second data processing system in a 

30 very secure fashion, and with the aid of the second data, the second data 
processing system generates authentication information with which an 
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authentication procedure can be advantageously executed automatically 
without intervention by a human operator. 

A second aspect of the preferred embodiment relates to an 
arrangement for authenticating a data processing system. A first data 
5 processing system generates first information. The first information is sent to 
a second data processing system of a control unit. The second data 
processing system generates first data with the aid of the first information and 
additional information that is contained in the second data processing system. 
The arrangement contains a data line over which first data are transmittable 

10 from the first data processing system to the second data processing system 
{sic}. The first data processing system generates second data depending on 
the first data. The second data are transmittable from the first data 
processing system to the second data processing system over the data line. 
With the aid of the second data, the second data processing system 

15 generates authentication information for authenticating the second data 
processing system. 

The effect of this arrangement of the preferred embodiment is that the 
generation and transmission of the second data for generating the 
authentication information by means of the second data processing system 

20 can be executed easily and without complex user intervention. Furthermore, 
because the second data processing system generates the authentication 
information with the aid of the second data, an authentication of the second 
data processing system by an additional data processing system and/or the 
first data processing system is easy to realize. 

25 A third aspect of the preferred embodiment relates to a method for 

authenticating a control unit of an electrophotographic printing or copying 
system. First data are stored in a first data processing system of the control 
unit. The first data processing system generates authentication information 
with the aid of the first data. With the aid of authentication data the 

30 authentication information is transmitted to a second data processing system 
of the printing or copying system. The authenticity of the first data processing 
system is checked or validated by the second data processing system. With 
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the aid of the authentication data, access rights for the first data processing 
system are defined by the second data processing system. 

An authentication of the control unit and the defining of access rights of 
the control unit are very easy with the method of the preferred embodiment. 
5 Complicated and costly user interventions by a human operator are not 
required in order to authenticate the control unit. 

A fourth aspect of the preferred embodiment relates to an arrangement 
for authenticating a control unit of an electrophotographic printing or copying 
system. First data are stored in a first data processing system of the control 

10 unit. The first data processing system generates authentication information 
with the aid of the first data. The first data processing system transmits 
authentication data to a second data processing system of the printing or 
copying system, which data contain the authentication information. The 
second data processing system checks the authenticity of the first data 

15 processing system, whereby it defines access rights of the first data 
processing system with the aid of the authentication data. With this 
arrangement of the preferred embodiment an authentication of the control unit 
can be executed very easily by the control unit of the printing or copying 
system. Such authentication does not require intervention by a human 

20 operator. Furthermore, with this arrangement a very secure authentication of 
the control unit is performed, and foreign or external access to the data 
processing system of the printing or copying system is prevented. 

Figure 1 represents a system 10 for generating and transmitting a key 
12 that serves for the authenticating of a service and maintenance computer 

25 14 by an additional data processing unit of a printer which is not represented. 
The system 10 contains an authorization server 16 that is linkable with the 
service and maintenance computer over a network connection 18. The 
generation and transmission of the key 12 is also referred to as an approval or 
enable procedure of the service and maintenance computer 14. A data 

30 connection between the service and maintenance computer 14 and the 
authorization server 16 is needed for this approval procedure, for instance 
over network 18. 
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The authorization server 16 generates what is known as a transaction 
number (TAN). The transaction number is a series of numbers and/or letters 
that a human operator must enter at the service and maintenance computer in 
order to execute the approval procedure. The transaction number generated 
5 by the authorization server 16 is sent to the operator by mail or e-mail. The 
operator is preferably a service technician from the printer manufacturer with 
a portable computer, a so-called notebook, as the service and maintenance 
computer 14. The service technician's service and maintenance computer 14 
is referred to hereinafter as the service notebook. 

10 After receiving the transaction number by mail or e-mail, the service 

technician starts a program module for executing the approval procedure on 
the service notebook 14. The service technician enters the transaction 
number by means of an interface and starts the approve operation. The 
program module detects a predetermined hardware identifier, for instance the 

15 serial number of the processor or of an adapter. A hardware identifier of this 
kind is also referred to as the fingerprint of the service notebook 14. The 
serial number and transaction number are transmitted to the authorization 
server 16 over the network connection 18. The authorization server 16 
checks the validity of the transaction number and defines an authorization 

20 level for the service notebook based on said number, which will subsequently 
determine the access rights of the service notebook 14 to the control units 
and databases of a printer when the notebook and printer are linked. 

The authorization server 16 also defines a validity date until which an 
authorization by a printer is possible with the aid of the generated key 12. A 

25 period in which a service notebook 14 can be approved with the aid of the 
transmitted transaction number is also defined. With the aid of the transmitted 
hardware identifier, validity date, and authorization level, the authorization 
server 16 generates what is known as a key 12, which contains this 
information in coded form and/or by means of which this information can at 

30 least be checked. The key 12 is transmitted over the network 18 to the 
service notebook 14 and stored in a memory area of the service notebook 14. 



SUBSTITUTE SPECIFICATION 



An approval procedure for approving the service notebook 14 is thus 
implemented by means of the system 10. The key 12 that is stored in the 
service notebook 14 as a result of this approval procedure contains the 
hardware identifier, expiration date and access rights of the service notebook 
5 14 in encrypted form. 

In other exemplifying embodiments, at least the hardware identifier, the 
expiration date, and the access rights can be checked with the aid of the key 
12. In other exemplifying embodiments the transaction number can also be 
generated by a separate institution. The transaction number must then be 

10 sent to the service technician for entry into the service notebook 14 and 
entered into the authorization server 16. The network link 18 according to 
Figure 1 is a connection via a wide area network such as the Internet. If an 
Internet connection such as this is chosen, the data transfer occurs with the 
aid of a secure transmission channel. 

15 Alternatively, in other exemplifying embodiments a point-to-point 

connection, e.g. by means of a modem, can be transmitted over a public 
telephone network. In order to enhance transmission security, known 
encryption methods can be used for data transmission. Furthermore, with the 
aid of the system 10 a service technician can approve the service notebook 

20 14 from an arbitrary location that is linkable with the network 18. Thus it is 
also possible to approve the service notebook 14 from a customer's telephone 
terminal or any other telephone terminal. 

If the validity period of key 12 has expired, the service notebook 14 
must be reapproved. Reapproval is performed according to the same 

25 procedure described for the first approval of the service notebook 14. 

Different keys 12 are generated and delivered by the authorization 
server 16 for different notebooks at the same authorization level. However, 
the authorization level and validity period can be determined unambiguously 
from these different keys 12 without the respective key 12 itself having to be 

30 known to a data processing system of the printer that checks the authenticity 
of the service notebook 14. As a result, it is not necessary to inform all 
printers about which of the technician's notebooks 14 and which other control 



SUBSTITUTE SPECIFICATION 



units have authorization to access the database and/or control units of the 
respective printer. Such a service notebook 14 is linked with a printer locally 
or over a network connection 18 as a control unit, it being possible to read the 
printer's settings and transmit modified settings to it by means of the service 
5 notebook 14, to operate the printer by means of the service notebook 14, and 
to run a diagnostic analysis of the printer or its assemblies by means of the 
service notebook 14. 

For each individual parameter the authorization level until which a read 
and/or write access to this setting parameter is permitted can be defined by 

10 means of the printer software or firmware. Write access to setting parameters 
is advantageously allowed only to users with a high authorization level. 

Figure 2 represents a control interface 20 for approving the service 
notebook 14. The control interface 20 is generated with the program module 
for approving the notebook 14 that was started by the technician on the 

15 notebook 14 and output on a display device of the notebook 14. With the aid 
of this control interface 20 the operator can choose the type of connection to 
the authorization server 16. The operator can enter or select the network 
address or, if the notebook 14 is connected to the authorization server 16 over 
a network connection of the World Wide Web of the Internet, the Internet 

20 address of the authorization server 16 in an input and output field 22. 
Alternatively, a point-to-point connection of the service notebook 14 to the 
authorization server 16 can also be set with the aid of a selection field 24 if, 
for example, the notebook 14 and the authorization server 16 are linkable 
over modems with the aid of a telephone network. For a point-to-point 

25 connection, the operator can enter the required data for the setup of the point- 
to-point connection in the input region 26. These data relate in particular to a 
log-in name and a password for setting up the connection and a telephone 
number via which the authorization server is reachable over the telephone 
network. A protocol is also selectable. 

30 Region 26 also contains an output field in which the connection status 

is displayed. A connection over the telephone network can be established 
with the aid of a graphic button 28. An existing connection can be interrupted 
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with the aid of the graphic button 30, and the setup and dismantling of a 
connection can be interrupted with the aid of the graphic button 32. The 
transaction number (TAN) that was sent is entered into input field 34. After 
inputting the transaction number, the operator can start the registration 
5 process at the authorization server with the aid of the graphic button 36, 
whereby the program module transmits the transaction number and the 
number of the processor of the service notebook 14 to the authorization 
server 16. The program module contains special program elements for 
detecting the serial numbers of the processor. 

10 As described above in connection with Figure 1, after checking the 

validity of the transaction number, the authorization server 16 determines a 
key 12 with the aid of the processor's serial number and other information. 
After the key 12 is generated, it is transmitted to the notebook 14. The key 12 
is stored in a dedicated memory area of the notebook 14. After the key 12 

15 has been successfully transmitted to the notebook 14, the button 38 is 
displayed as active that the notebook 14 has been successfully approved. 
Activating the graphic button 38 terminates the approval operation and ends 
the running of the program module for approval. 

Figure 3 is a block wiring diagram representing the authentication of 

20 the notebook 14 by a printer 40. The notebook 14 is connected to the printer 
40 over a network connection 42. As explained above in connection with 
Figures 1 and 2, a key 12 is stored in the notebook 14, which contains 
information about the serial number of the processor, the validity period of the 
key, and the access rights of the service notebook 14. This information is 

25 preferably contained in the key 12 in coded form. Alternatively, this 
information can at least be checked with the aid of the key 12. 

Before the notebook 14 receives access to setting parameters and 
diagnostic functions of the printer 40, the printer 40 performs an authorization 
of the service notebook 14. For that purpose, a program module of the printer 

30 detects the presence of the key 12 on the service notebook 14 and the 
authorization level of the notebook 14 over the network 42. 
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The authorization by the printer 40 is preferably achieved through the 
challenge and response technique. The printer 40 transmits a random 
number to the service notebook 14. With the random number, the service 
notebook 14 performs a non-bypassable mathematical computation operation 
5 depending on the key 12. The result of this computation operation is 
transmitted to the printer 40 over the network connection 42. The printer 40 
checks the computation result by performing a mathematical computation 
operation that leads to the same result. If the two results match, then 
authentication of the notebook 14 by the printer 40 is successful. 

10 As already mentioned, in the printer 40 it is specified for each setting 

parameter of the printer 40 whether users with a particular authorization level 
have read and/or write access to the value of the setting parameter. The 
service notebook 14 is one such user. Upon the successful authentication of 
the notebook 14, the printer 40 transmits data for generating a graphic user 

15 interface for controlling, configuring, and servicing the printer 40 to the 
notebook 14. The transmitted data are processed by the notebook with the 
aid of a browser program module. The graphic user interface preferably 
contains control interfaces, which are selectably displayed with the aid of 
menus. 

20 The graphic user interface and the control interfaces are preferably 

designed in such a way that they are automatically adapted to the 
authorization level of the notebook 14. If the notebook 14 is not authorized for 
a read and/or write access of the setting value of a setting parameter based 
on the assigned authorization level, this setting value is not displayed or is 

25 displayed only as inactive. If the notebook 14 lacks authorization to execute a 
diagnostic function, then this diagnostic function is not offered, i.e. not 
displayed, with the control interface and/or the menu items. That way, the 
operating of the control interface at lower authorization levels is easier and 
more clearly arranged. 

30 With an authorization procedure such as the one described in 

connection with Figures 1 to 3, it is easy to prevent accidental or intentional 
manipulations and incorrect settings of setting parameters of the printing 
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system. It is possible for the service notebook 14 to access the printer over a 
direct data line on site as well as remotely over a network connection, e.g. 
over the Internet or a telephone network. That way, remote maintenance, 
remote control and remote diagnostic analysis are easy to perform. 
5 If the user interface for operating, configuring, and diagnostically 

analyzing the printer 40 is transmitted from the printer 40 to the notebook 14 
over the network 42 and displayed there with the aid of a display program 
module, e.g. with the aid of a browser, then all the notebook 14 requires is 
software for requesting and managing the key 12, which must be stored in a 
10 storage area or the notebook 14 in addition to its standard software and 
processed by the notebook 14. The standard software of the service 
notebook 14 comprises at least one operating system and one browser 
program module. 

The browser program module advantageously contains a Java 

15 Runtime program environment. The processing of Java Applets is very easy 
with the aid of this Java Runtime environment. With the aid of the Java 
Applets comprehensive operating, diagnostic, and configuration functions as 
well as a graphic user interface can be generated, which are output via the 
browser program module. It is not necessary to transmit and verify 

20 passwords. In particular, an inherent risk of such a password is that the 
password may be disseminated to another technician or operator, for example 
in the event that the service technician or operator is replaced for a weekend 
or during a vacation. Often these passwords are also written down and could 
reach unauthorized parties that way also. 

25 According to the authentication of the preferred embodiment of the 

service notebook 14, the notebook contains all the data needed for its 
authentication. In the event of a substitution during a vacation or weekend, 
the notebook 14 is simply handed over to another technician or operator. The 
substitute technician or operator does not receive any information with which 

30 it is possible to access the printer 40 using another service notebook or 
another data processing system after returning the service notebook 14. 
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Figure 4 represents an output window with a text message that is 
output on the notebook 14 in the event of unsuccessful approval and in the 
event of expiration of approval. With this text message the technician is 
informed that the notebook 14 is not approved and he has no access to 
5 service tools, diagnostic tools, or documentation. Using the graphic button 
44, the operator can start the program module for approving the notebook 14, 
whereby the control interface represented in Figure 2 is output. But approval 
as described in connection with Figure 2 is possible only if the operator has a 
valid transaction number. If graphic button 46 is activated, the program 

10 module for approval is not started, and the service and diagnostic tools 
requiring an authorization level are not available to the technician at notebook 
14, nor is service documentation. 

Alternatively to the serial number of the processor, a so-called MAC 
address of the network card contained in the service notebook 14 can be 

15 used as the hardware identifier. The MAC address is also referred to as the 
Ethernet address. The MAC address is a worldwide unique identifier of a 
network adapter. It is used in layer 2 of the OSI model for addressing. The 
MAC address is stored in a ROM memory of the network adapter and cannot 
be modified by means of program modules of the notebook 14. The MAC 

20 address is six bytes long and contains the manufacturer and the serial 
number of the respective network adapter in encrypted form. The MAC 
address is readable with known program modules. The MAC address thus 
serves as a unique identifier of the service notebook 14. 

Furthermore, it is expedient to provide several user groups, each with 

25 an authorization level allocated to it. With this kind of an authentication, 
customer data such as overlays, character sets, and other resources can be 
protected against unauthorized reading or modification. An authorization of 
other internal and external operating units of the printer can also be performed 
before these units are given access to the setting parameters and control 

30 functions of the printer. The unauthorized operating of the printer 40 that can 
occur over a network to which the printer 40 is linked is also prevented this 
way. A cryptography technique with which information is encoded and 
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decoded is preferably used, particularly an asymmetric or symmetric 
encryption technique. The key 12 can also contain a legitimation code. The 
key 12 is preferably a public key or a private key. Alternatively, a signature 
can be used instead of a key. 
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Despite the representation and detailed description of preferred 
exemplifying embodiments in the drawings and the description above, these 
should be understood purely as exemplary and not as limiting the invention. It 
bears emphasizing that only the preferred exemplifying embodiments are 
5 represented and described, and protection is intended to extend to all 
alterations and further modifications that are or will be within the scope of the 
invention. 



